Thanks to a TWEET® from Thomas Rid yesterday I had a chance to read an article by Dale Peterson in the Journal of Strategic Studies about offensive cyber-weapons. Now if you have been reading Dale’s blog at DigitalBond for the last couple of years like I have, there really isn’t much new information here; but he has brought a great deal of information together here in a way that hasn’t been done before. More importantly, he has brought the information to a completely new audience; an audience that really needs to understand just how easy it is to construct a cyber-weapon to attack industrial control systems.
Insecure By Design
People in the control system security community are certainly aware of Dale’s almost patented phrase ‘insecure by design’. Not surprisingly Dale opens his article with a discussion of this concept. Using the Stuxnet example he explains:
“The purpose of Stuxnet was to load a program onto the Programmable Logic Controller (PLC) that controlled the centrifuges at the Natanz fuel enrichment plant. The attackers developed various Windows exploits in order to gain access to the network that the PLCs were on. But once access was gained, no attack code was required to load the cyber weapon onto the PLCs. The Siemens S7 PLC has no source or data identification so any attacker with access to it can load his own program, tell the process to stop, reboot the PLC, or whatever else is desired.”
Three Weapon Types
Dale addresses the issue of the complexity of industrial control systems being a sort of cyber-defense, by noting that there are three different types of attacks that can be initiated depending on the knowledge the attacker has about the control system. Basically they can be described as:
• Simple Weapon – The “attacker uses the lack of authentication to cause the system to crash or operate incorrectly”;
• Moderately Complex Weapon – The “attacker learns about the process and determines how to destroy a physical component or subsystem that will take time to replace”; and
• Complex Weapon – The “attacker modifies the process in a stealthy manner so a cyber attack is not suspected”.
He goes on to give a brief example of how complex a ‘simple weapon’ can be made using a worm to reprogram firmware in a ControlLogix PLC that produces intermittent process failures. As a process chemist this is my most feared type of attack because random failures will be almost impossible to detect as an attack. Unless the facility engineering team has reason to suspect a cyber-attack they will waste untold man-hours trying to track down the root cause of their apparently unrelated process problems while the facility becomes an economic wreck.
Dale notes that cyber-weapon deployment is actually more difficult in most cases than is the development of the actual attack code. This is because most critical cyber-targets are going to be electronically isolated from the easiest attack vector, the internet. Dale briefly describes a variety of common methods of getting the electronic weapon payload into the targeted system. Unfortunately, to my mind, he only mentions in passing the most likely method to be employed against most Western nations; spear phishing.
Because of the difficulties in gaining electronic access to the most important targets the most effective method of deployment is advanced deployment of the electronic payload and then subsequently activating the weapon at the most opportune time. This requires some sort of ‘command and control’ communications link. Dale spends some time describing some of the techniques that are available to achieve these communications.
As I noted earlier, Dale is focusing this paper on a different audience than he normally attracts to his blog or his business. Given the publication, it is obvious that he is targeting the planners and politicians that will be either deploying cyber-weapons or defending against them. With that audience in mind, I think he has achieved a reasonable level of technical detail in his presentation. I think he has successfully avoided the pitfalls frequently encountered when a technical expert describes a problem for a non-technical audience.
Most readers of this blog are not going to find anything new here, but I do recommend that anyone in the control system business; including owners, vendors, and integrators, should send a copy of this article to their legislative representatives in Washington. With cybersecurity being an important political topic in the coming months, this article might help to favorably inform the lawmakers about the real cybersecurity problems facing this country.